7.11 Ntruencrypt As a Lattice Cryptosystem

7.11. NTRUEncrypt as a Lattice Cryptosystem 425

Returning to Example 7.56, we see that the expected number of decryption keys in T (84, 83) for N = 251 and q = 257 is

251 3 251 167 ≈ 2−1222.02. (7.45) 257 84 83

Of course, if h(x) is an NTRUEncrypt public key, then there do exist decryption keys, since we built the decryption key f(x) into the construction of h(x). But the probability calculation (7.45) makes it unlikely that there are any additional decryption keys beyond f(x) and its rotations.

7.11 NTRUEncrypt as a Lattice Cryptosystem

In this section we explain how NTRU key recovery can be formulated as a shortest vector problem in a certain special sort of lattice. Exercise 7.36 sketches a similar description of NTRU plaintext recovery as a closest vector problem.

7.11.1 The NTRU Lattice Let N−1 h(x)=h0 + h1x + ···+ hN−1x

NTRU be an NTRUEncrypt public key. The NTRU lattice Lh associated to h(x) is the 2N-dimensional lattice spanned by the rows of the matrix ⎛ ⎞ 10··· 0 h0 h1 ··· hN−1 ⎜ ⎟ ⎜ 01··· 0 hN−1 h0 ··· hN−2 ⎟ ⎜ ⎟ ⎜ ...... ⎟ ⎜ ...... ⎟ ⎜ ⎟ NTRU ⎜ 00··· 1 h1 h2 ··· h0 ⎟ Mh = ⎜ ⎟ . ⎜ 00··· 0 q 0 ··· 0 ⎟ ⎜ ⎟ ⎜ 00··· 0 0 q ··· 0 ⎟ ⎜ ...... ⎟ ⎝ ...... ⎠ 00··· 0 00··· q

NTRU Notice that Mh is composed of four N-by-N blocks:

Upper left block = Identity matrix, Lower left block = Zero matrix, Lower right block = q times the identity matrix, Upper right block = Cyclical permutations of the coeﬃcients of h(x). 426 7. Lattices and Cryptography

It is often convenient to abbreviate the NTRU matrix as I h M NTRU = , (7.46) h 0 qI where we view (7.46) as a 2-by-2 matrix with coeﬃcients in R. We are going to identify each pair of polynomials N−1 N−1 a(x)=a0 + a1x + ···+ aN−1x and b(x)=b0 + b1x + ···+ bN−1x in R with a 2N-dimensional vector 2N (a, b)=(a0,a1,...,aN−1,b0,b1,...,bN−1) ∈ Z . We now suppose that the NTRUEncrypt public key h(x) was created using the private polynomials f(x)andg(x) and compute what happens when we multiply the NTRU matrix by a carefully chosen vector. Proposition 7.59. Assuming that f(x) h(x) ≡ g(x)(modq),letu(x) ∈ R be the polynomial satisfying f(x) h(x)=g(x)+qu(x). (7.47) Then NTRU (f, −u)Mh =(f, g), (7.48) NTRU so the vector (f, g) is in the NTRU lattice Lh . Proof. It is clear that the ﬁrst N coordinates of the product (7.48)arethe NTRU vector f, since the left-hand side of Mh is the identity matrix atop the zero NTRU matrix. Next consider what happens when we multiply the column of Mh whose top entry is hk by the vector (f, −u). We get the quantity

hkf0 + hk−1f1 + ···+ hk+1fN−1 − quk, which is the kth entry of the vector f(x) h(x) − qu(x). From (7.47), this is the kth entry of the vector g, so the second N coordinates of the product (7.48) form the vector g. Finally, (7.48) says that we can get the vector (f, g)by NTRU taking a certain linear combination of the rows of Mh . Hence (f, g) ∈ NTRU Lh . Remark 7.60. Using the abbreviation (7.46) and multiplying 2-by-2 matrices having coeﬃcients in R, the proof of Proposition 7.59 becomes the succinct computation 1 h (f, −u) =(f, f h − qu)=(f, g). 0 q Proposition 7.61. Let (N,p,q,d) be NTRUEncrypt parameters, where for simplicity we will assume that p =3 and d ≈ N/3 and q ≈ 6pd ≈ 2pN. NTRU Let Lh be an NTRU lattice associated to the private key (f, g). 7.11. NTRUEncrypt as a Lattice Cryptosystem 427

LNTRU qN (a) det( h )=√ . √ (b) (f, g) ≈ 4d ≈ 4N/3 ≈ 1.155 N. (c) The Gaussian heuristic predicts that the shortest nonzero vector in the NTRU lattice has length NTRU σ Lh ≈ Nq/πe ≈ 0.838N.

Hence if N is large, then there is a high probability that the shortest nonzero NTRU vectors in Lh are (f, g) and its rotations. Further, (f, g) . ≈ 1√38, σ(L) N √ so the vector (f, g) is a factor of O(1/ N ) shorter than predicted by the Gaussian heuristic.

NTRU Proof. (a) Proposition 7.20 says that det(Lh ) is equal to the determinant NTRU of the matrix Mh . The matrix is upper triangular, so its determinant is the product of the diagonal entries, which equals qN . (b) Each of f and g has (approximately) d coordinates equal to 1 and d coordinates equal to −1. NTRU (c) Using (a) and keeping in mind that Lh has dimension 2N,weestimate the Gaussian expected shortest length using the formula (7.21), 2N Nq 6 σ LNTRU = (det L)1/2N = ≈ N. h 2πe πe πe

7.11.2 Quantifying the Security of an NTRU Lattice Proposition 7.61 says that Eve can determine Alice’s private NTRU key if she NTRU can find a shortest vector in the NTRU lattice Lh . Thus the security of NTRU NTRUEncrypt depends at least on the difficulty of solving SVP in Lh . NTRU More generally, if Eve can solve apprSVP in Lh to within a factor of 1 approximately N for some < 2 , then the short vector that she finds will probably serve as a decryption key. This leads to the question of how to estimate the difficulty of finding a short, or shortest, vector in an NTRU lattice. The LLL algorithm that we describe in Sect. 7.13.2 runs in polynomial time and solves apprSVP to within N NTRU a factor of 2 , but if N is large, LLL does not find very small vectors in Lh . In Sect. 7.13.4 we describe a generalization of the LLL algorithm, called BKZ- LLL, that is able to find very small vectors. The BKZ-LLL algorithm includes a blocksize parameter β, and it solves apprSVP to within a factor of β2N/β, but its running time is exponential in β. 428 7. Lattices and Cryptography

Unfortunately, the operating characteristics of standard lattice reduction algorithms such as BKZ-LLL are not nearly as well understood as are the operating characteristics of sieves, the index calculus, or Pollard’s ρ method. This makes it difficult to predict theoretically how well a lattice reduction algorithm will perform on any given class of lattices. Thus in practice, the security of a lattice-based cryptosystem such as NTRUEncrypt must be de- termined experimentally. Roughly, one takes a sequence of parameters (N,q,d)inwhichN grows and such that certain ratios involving N, q,andd are held approximately constant. For each set of parameters, one runs many experiments using BKZ-LLL with NTRU increasing block size β until the algorithm finds a short vector in Lh . Then one plots the logarithm of the average running time against N, verifies that the points approximately lie on line, and computes the best-fitting line

log(Running Time) = AN + B. (7.49)

After doing this for many values of N up to the point at which the com- putations become infeasible, one can use the line (7.49) to extrapolate the expected amount of time it would take to find a private key vector in an NTRU NTRU lattice Lh for larger values of N. Such experiments suggest that values of N in the range from 250 to 1000 yield security levels comparable to currently secure implementations of RSA, Elgamal, and ECC. Details of such experiments are described in [102]. Remark 7.62.√Proposition 7.61 says that the short target vectors in an NTRU lattice are O( N ) shorter than predicted by the Gaussian heuristic. Theoret- ically and experimentally, it is true that if a lattice of dimension n has a vector that is extremely small, say O(2n) shorter than the Gaussian prediction, then lattice reduction algorithms such as LLL and its variants are very good at finding the tiny vector. It is a natural and extremely interesting question to ask whether vectors that are only O(n) shorter than the Gaussian prediction might similarly be easier to find. At this time, no one knows the answer to this question.

7.12 Lattice-Based Digital Signature Schemes

We have already seen digital signatures schemes whose security depends on the integer factorization problem (Sect. 4.2) and on the discrete logarithm problem in the multiplicative group (Sect. 4.3) or in an elliptic curve (Sect. 6.4.3). In this section we brieﬂy discuss how digital signature schemes may be con- structed from hard lattice problems.

7.12.1 The GGH Digital Signature Scheme It is easy to convert the CVP idea underlying GGH encryption into a lattice- based digital signature scheme. Samantha knows a good (i.e., short and